Home > News & Insights > Insights & Publications

10/13/15 - The FFIEC’s Cybersecurity Assessment Tool: A New Way to Identify and Manage Cybersecurity Risk

The Federal Financial Institutions Examination Council recently published a cybersecurity assessment tool that combines risk profiling and maturity modeling to help financial institutions improve their cybersecurity preparedness.[1] This assessment tool merits the early and close attention of board directors and top-level executives at financial institutions regulated by the agencies that make up the FFIEC.

Firms regulated by FFIEC member agencies will have to soon begin using the assessment tool to measure their cybersecurity preparedness. The Office of the Comptroller of the Currency, for instance, said that “OCC examiners will begin incorporating the Assessment into examinations in late 2015.”[2]

But companies in other sectors — by tailoring the assessment’s risk and maturity criteria to fit nonfinancial services and products — can also use it successfully to assess their cybersecurity preparedness. The FFIEC ensured that the assessment is compatible with the cybersecurity framework published in February 2014 by the National Institute of Standards and Technology for organizations in every industry.[3] The council’s side-by-side comparison of the principles and statements set forth in the NIST framework and those in the FFIEC assessment shows the two documents’ alignment.[4] And firms that have already started using NIST’s guidance can now supplement it with the FFIEC assessment, to measure their cybersecurity risk and contrast it with their ability to manage and mitigate that risk.

The Assessment

FFIEC assessments consist of two broad elements: a profile of an institution’s inherent cybersecurity risk (i.e., the cybersecurity risk a firm faces, prior to the implementation of any controls) and a measure of a firm’s cybersecurity maturity. An institution can determine its inherent-risk profile and maturity level using the FFIEC’s repeatable and flexible approach.

The assessment’s inherent-risk profile examines cybersecurity risks grouped in five categories: technologies and connection types, delivery channels, online/mobile products and technology services, organizational characteristics, and external threats. The FFIEC provides guidance — in the form of quantifying statements — of what it expects under each subcategory and risk level.

The portion of the assessment that rates a firm’s cybersecurity maturity is broken down into five domains: cybersecurity risk management and oversight, threat intelligence, cybersecurity controls, external dependencies, and cybersecurity-incident management and resilience. These domains contain a series of assessment factors and contributing components that, in turn, generate a maturity rating for each of these aspects of a firm’s cybersecurity. The five levels of maturity are baseline, evolving, intermediate, advanced, and innovative.

Cybersecurity Risk Management: The Five Levels of Maturity

 

BASELINE

Characterized by the meeting of minimum expectations required by law and regulations and compliance-driven objectives

EVOLVING

Adds risk-driven objectives, formally documented procedures and policies, and cybersecurity accountability that goes beyond protecting customer information to safeguarding information assets and systems

INTERMEDIATE

Incorporates a detailed, formal process in which controls are validated and reliable and risk management practices and analyses are integrated into business strategies

ADVANCED

Has cybersecurity practices and analytics that span all business units; most risk management processes are automated and allow for continuous process improvement; accountability for risk is clearly defined

INNOVATIVE

Characterized by the involvement of people, processes, and technology in the management of cybersecurity risks; development of new controls or tools by means of information-sharing; and the automation of predictive analytics

The Process

The assessment’s first step is to gauge an organization’s inherent risk profile based on the five categories. Management then evaluates cybersecurity maturity for each of the five domains. The FFIEC assessment is not designed to derive an overall maturity level for the entire organization, because of the danger of distorting or glossing over individual areas of weakness, although some executives might be tempted to use a composite risk level as a handy, but simplistic metric.

Management then determines whether the firm’s cybersecurity maturity levels are appropriate in relation to the firm’s inherent risks. The FFIEC suggests that firms meet increasing levels of inherent risk with commensurate levels of cybersecurity maturity. Independent evaluation of both risk and maturity will be crucial to provide an impartial appraisal of where these measurements are out of alignment — a key aspect of the assessment process. Institutions at which cybersecurity maturity falls short of inherent risk may take action either to reduce risk or to increase maturity — typically by adding specific controls or countermeasures.

Comparison with the NIST Framework

The assessment and the framework are both vehicles for comprehensive appraisals of organizational cybersecurity governance, and neither of them specifies what controls to implement and how. For that guidance, one needs to drill down into underlying control sets (such as ISO 27001) and technology-specific standards.

The assessment complements and extends the functionality of the NIST cybersecurity framework in important ways. The FFIEC’s line-by-line mapping of its assessment to the NIST framework shows overlap between the two sets of guidelines. And organizations that have already used the NIST framework will enjoy a significant advantage — in having already addressed much of the groundwork — when they begin using the FFIEC assessment.

The mapping document that compares and contrasts the FFIEC assessment and NIST framework also shows that the former is slightly more stringent than the latter. NIST’s Tier 1 requirements, for example, fall below the lowest, “baseline” level described in the assessment’s maturity model; and NIST’s Tier 4 requirements map at or below the FFIEC “advanced” maturity level. The two sets of guidance are certainly not equivalent, but their similarity points to widely recognized, and increasingly demanding, requirements for cybersecurity. And they both demonstrate the need to raise the bar against growing sophistication and complexity in the cybersecurity threat landscape.

 

 

FFIEC Cybersecurity Assessment Tool

NIST Framework

Overlap

Applicability

Financial Institutions

Any organization deemed by regulators to fall within critical infrastructure

Assessment of organizational cybersecurity governance

Usability

Quantitative inputs required; knowledge of cybersecurity risk governance necessary

Less quantitative, but requiring knowledge of cybersecurity risk governance

Measurement using either framework requires in-depth knowledge of information risk governance

Organization

Uses domains and assessment factors to describe cybersecurity activities

Uses functions and categories to describe cybersecurity activities

  • FFIEC Domain 1 (“Cyber Risk Management and Oversight”) broadly aligns with NIST’s “Identify” function
  • FFIEC Domain 2 (threat intelligence, monitoring and analysis, and collaboration with external agencies) aligns with NIST’s “Identify” function
  • FFIEC Domain 3 groups protective, detective, and preventive controls; NIST spreads these controls across separate functions (primarily in the “Protect,” “Detect,” and “Respond” functions)
  • FFIEC Domain 4 separates external dependency management;  NIST deals with it mostly as part of its “Identify” function
  • FFIEC Domain 5 covers business continuity and incident management, mitigation, and resilience; NIST’s “Respond” and “Recover” functions cover these areas
 

Risk Modeling

Yes, in detail, using quantitative inputs

None

None

Maturity Measurement

Yes, in detail, against five domains and subordinate assessment factors.

No, but implementation tiers — 1 (Partial), 2 (Risk-Informed), 3 (Repeatable), and 4 (Adaptive) — measure rigor and sophistication of implementation, as well as integration with overall risk management practices

Yes, but the FFIEC assessment provides more detailed assessments for the financial sector

Comment

Adaptable beyond the financial sector with some reworking

Designed for institutions deemed critical infrastructure, but can be used more widely; provides mapping to ISO 27001, NIST 800-53R4 controls, and other industry-specific standards

Detailed mapping exists between the two

Why Use the Assessment?

Even organizations from outside of the financial sector and not regulated by the FFIEC might use the assessment tool to articulate and communicate organizational risk appetite (and tolerance) in a detailed and descriptive manner — a task that has traditionally been hard for organizations, financial and nonfinancial, to do with precision.

Demonstrating cybersecurity maturity in a measurable way, and providing a tailored, specific risk assessment, will provide a powerful statement of cybersecurity competence, relevant to a number of audiences. Firms that adopt FFIEC assessment methods will have the ability to examine how new products or services will change their risk profile and to think about the countermeasures needed to rebalance the risk/maturity equation. And like the NIST framework, the FFIEC assessment offers a good way to frame a conversation with your executive team, third-party stakeholders, and customers. Even if your regulator does not require your firm to use the assessment, you can use it as an adjunct to the framework to allow a targeted discussion of how organizational cybersecurity needs to be strengthened, informed by a detailed inherent risk analysis.

It is also clear that comprehensive assessments of cybersecurity governance are fast becoming the norm across all sectors. Anecdotal evidence suggests that 30% of organizations already use the NIST framework — a rate of adoption that could rise to 50% by 2020. NIST will likely develop the framework further over the next 12 to 18 months, and that development may well incorporate concepts introduced by the FFIEC, such as risk modeling and a more richly defined maturity assessment. Early adoption of the NIST framework or the FFIEC assessment will offer organizations the advantages of strengthened cybersecurity risk management programs and the ability to respond quickly to new regulatory requirements for cybersecurity.

Conclusion

The introduction of the FFIEC assessment provides a significant new opportunity for financial and other firms to articulate cybersecurity risk both inside and outside of the organization and to align that risk to an appropriate level of cybersecurity maturity. More important, it provides a degree of sophistication, repeatability, and flexibility that will allow organizations to dynamically manage their risk, as it changes with mergers and acquisitions, the addition of new services and products, or the implementation of new technologies.

Board members and executives at FFIEC-regulated institutions should bear in mind that the publication of the assessment is the likely first step in what promises to be an increasingly challenging requirement to demonstrate competence in managing cybersecurity risk. The FFIEC assessment also provides a marker for future regulatory requirements in sectors outside of finance.

The threat landscape is becoming ever more complex, and the ability to deploy a sophisticated, appropriate, and flexible response will become correspondingly more important. The assessment provides the opportunity to review your organization’s risk in a detailed but concise format and to calibrate your response — whether by reducing risk or putting additional resources into security controls — in a measurable and repeatable way. It allows board directors and senior management to quickly and efficiently channel resources and investment to the areas that pose the most cybersecurity risk to their organization.

How Promontory Can Help

Promontory provides resources and expertise to help companies develop practical risk management solutions that meet regulators’ and investors’ heightened expectations for cybersecurity. We will continue to monitor how the FFIEC and its member agencies develop the assessment and incorporate it into their examinations.

Contact Promontory

Please call or email us to discuss how you can use the FFIEC’s assessment tool to gauge the cybersecurity risks your firm faces and the maturity levels of your cybersecurity risk management. For more information, please get in touch with any member of our team:

Simon McDougall
Managing Director
smcdougall@promontory.com
+44 20 7997 3456

Kevin Hayes
Senior Principal
khayes@promontory.com
+1 202 370 0458